CN103295131B - A kind of conditional electronic payment system possessing transferability - Google Patents

Abstract

The invention discloses a kind of conditional electronic payment system possessing transferability, there is payment platform, bank, a requestee, described payer account, and at least one payee, it is characterised in that comprise the following steps: (1) pays and generates；(2) conditional jump；(3) user's registration；(4) additional transfer；(5) payment is cashed；(6) dual disburser is identified.The present invention has the beneficial effects that, does not both need the segmentation selection technique of poor efficiency constructed by the present invention, it is not required that complicated knowledge probative agreement, also eliminates demand in all conditions agreement of transfer, bank is online at any time simultaneously.And the conditional electronic payment system of the present invention possesses assignability, the further transaction currency that a series of payee can be anonymous can be made.

Description

A kind of conditional electronic payment system possessing transferability

Technical field

The present invention relates to E-Payment field, be specifically related to a kind of conditional electronic payment system possessing transferability.

Background technology

The E-Payment prototype (or electronic cash prototype) proposed by Chaum, it may be said that be one of most important application of contemporary cryptology.After it proposes, between nearly 30 years, substantial amounts of research work is all complete.Having two kinds of electronic cash Scheme is online and off-line respectively.Online electronic cash Scheme provides good solution can to the most thorny issue in electronic cash Scheme, for instance dual payment problem.But, it needs payee will contact with bank when transaction every time, and this is accomplished by bank any time will be online.It is to say, bank will become the bottleneck of this system development soon.Therefore, the scheme of off-line has more captivation when building electronic cash system.

Shi et al. first proposed a kind of new prototype and is called that conditional electronic pays.Compared with traditional electronic payment schemes, conditional electronic pays when meeting the public conditions necessarily decided through consultation, the electronic money that user will be allowed to issue with anonymous way cashing bank in certain time in the future.In addition, the electronic money in conditional payoff system in process of exchange not identity with payee bind mutually, in whole process, therefore just protect the anonymity of payee.Conditional electronic pays and is all highly profitable in substantial amounts of application, for instance market prediction, anonymous stake and securities trading on the net.

Shi et al. proposes the complete framework that conditional electronic pays simultaneously.But, select agreement and Secret sharing techniques owing to employing segmentation, the normally low effect of program right and wrong.Additionally, condition trade agreement needs the participation of bank.Although Carbunar proposes the offline versions that the conditional electronic based on Oblivious Transfer technology pays subsequently, it still uses the segmentation of poor efficiency to select agreement and Secret sharing techniques.

Blanton based on CL signature propose a kind of improvement conditional electronic pay (possessing transferability).This is a kind of off-line scheme, and does not use segmentation to select agreement.Therefore there is relatively low amount of calculation and traffic load.But, owing to employing CL signature, he needs the zero-knowledge proof of some complexity.A kind of effective structure looking for conditional electronic payment (possessing transferability) remains an interesting problem.

Summary of the invention

In view of the deficiencies in the prior art, it is contemplated that in providing a kind of efficient conditional electronic payment system.

To achieve these goals, the technical solution used in the present invention is as follows:

A kind of conditional electronic payment system possessing transferability, has payment platform, bank, a requestee, described payer account, and at least one payee, comprises the following steps:

(1) generation is paid, wherein, when described requestee wishes to extract a currency to described bank, described requestee need prove the proprietary rights of described payer account, and consulting a public information, by extracting agreement between both sides, final described requestee obtains the currency that bank cashes；

(2) conditional jump, wherein, when described requestee wishes to pay for his currency to described payee；Three randoms number generated by payee between both sides and Given information, carried out computing and Bilinear map checking, be verified rear payee and namely accept the currency that requestee sends.

(3) user's registration, the interaction protocol between and described bank.Wherein, described bank generates a restricted Partial Blind Signature to a concrete information, and this agreement is essentially identical with step (1) agreement, and the real value according to specifically electronic money is 0.Finally, it is thus achieved that effective certificate coin is as his representative；

(4) additional transfer, shifts a currency when hope and gives, and by three randoms number generated and Given information between both sides, carries out certain computing and Bilinear map checking, namely accepts the currency of transfer after being verified；

(5) cashing payment, beneficiary according to step (4) result sends currency to described bank；

(6) identifying dual disburser, dual memory or dual payment detect in described bank.

It should be noted that the public information consulted in described step (3) is.

The present invention has the beneficial effects that, does not both need the segmentation selection technique of poor efficiency constructed by the present invention, it is not required that complicated knowledge probative agreement, also eliminates demand in all conditions agreement of transfer, bank is online at any time simultaneously.And the conditional electronic payment system of the present invention possesses assignability, the further transaction currency that a series of payee can be anonymous can be made.

Detailed description of the invention

Below in conjunction with embodiment, the invention will be further described.

A kind of conditional electronic payment system possessing transferability, has payment platform, bank, a requestee, described payer account, and at least one payee, comprises the following steps:

(1) generation is paid, wherein, when described requestee wishes to extract a currency to described bank, described requestee need prove the proprietary rights of described payer account, and consulting a public information, by extracting agreement between both sides, final described requestee obtains the currency that bank cashes；

(2) conditional jump, wherein, when described requestee wishes to pay for his currency to described payee；Three randoms number generated by payee between both sides and Given information, carried out computing and Bilinear map checking, be verified rear payee and namely accept the currency that requestee sends.

(3) user's registration, the interaction protocol between and described bank.Wherein, described bank generates a restricted Partial Blind Signature to a concrete information, and this agreement is essentially identical with step (1) agreement, and the real value according to specifically electronic money is 0.Finally, it is thus achieved that effective certificate coin is as his representative；

(4) additional transfer, shifts a currency when hope and gives, and by three randoms number generated and Given information between both sides, carries out certain computing and Bilinear map checking, namely accepts the currency of transfer after being verified；

(5) cashing payment, beneficiary according to step (4) result sends currency to described bank；

(6) identifying dual disburser, dual memory or dual payment detect in described bank.

It should be noted that the public information consulted in described step (3) is.

In order to be better understood from the present invention, below in conjunction with embodiment, the invention will be further described:

1, generation is paid: when U wishes to extract a currency, he first has to prove account proprietary rights, and consults a public information c.For this, the extraction agreement between U and B is:

(1) B generates a random number r ∈_RΖ_q, and send z=(Ig₂)^rx, b=(Ig₂)^r, and a=y^rTo U.

(2) U checks e (z, g)=e (b, y)=e (Ig₂, a) whether set up.If equation is false, it will termination protocol.If setting up, U generates a series of random number α, λ, x₁,x₂,μ∈_RΖ_q, calculate A=(Ig simultaneously₂)^α, z'=z^αλ, b'=b^αλ, a'=a^λ,With $\tilde{m}=H(A,B,z^{\′},b^{\′},a^{\′},c){\left(g^{H_0\left(c\right)}y\right)}^{\mathrm{\μ}}.$ Then it sendsTo B.

(3) B feeds back to UThen U calculatesIf $e(\mathrm{\σ},g^{H_0\left(c\right)}y)=e(H(A,B,z^{\′},b^{\′},a^{\′},c),g),$ Then (A, B, c, (z', b', a', σ)) is exactly the U effective money knowing expression.

2, conditional jump: when U wishes to pay for his currency (A, B, c, (z', b', a', σ)) to S₁, following agreement will be performed:

(1) S₁Generate three random number α₁,β₁,γ₁∈_RΖ_q, then send $A_1={\left(I_1{g}_2\right)}^{{\mathrm{\α}}_1},B_1=g_1^{{\mathrm{\β}}_1}{g}_2^{{\mathrm{\γ}}_1}$ To U.

(2) d=H is made₁(A,B,A₁,B₁), U calculates r₁=d (μ₀α)+x₁Modq, r₂=d α+x₂Modq, then sends (A, B, c, (z', b', a', σ), r₁,VEDL(r₂)) to S₁。

(3) S₁Accepting currency, and if only if: A ≠ 1, e (z', g)=e (b', y)=e (A, a'), $e(\mathrm{\σ},g^{H_0\left(c\right)}y)=e(H(A,B,z^{\′},b^{\′},a^{\′},c),g),$ $g_1^{r_1}{g}_2^{r_2}=A^{d}B,$ And VEDL (r₂) it is r₂An encryption that effectively can verify that.

When the unfavorable result of event, U can with self participate in above-mentioned condition agreement of transfer.Same, U can pay in cash.

3, user's registration a: S_iAnd the interaction protocol between B.As a result, B generates a restricted Partial Blind Signature to a concrete informationIt is almost the same that this agreement generates agreement with payment.Only difference is that common information is c^*Rather than c, say, that the real value of electronic money is 0.Finally, S_iObtain an effective certificate coin (A_i,B_i,c^*,(z_i',b_i',a_i',σ_i)) as his representative.

4, additional transfer: work as S_iWish that one currency of transfer is to S_i+1(1≤i≤n-1), following agreement will be performed:

(1) S_i+1Generate three random number α_i+1, β_i+1, γ_i+1∈_RΖ_qAnd send ${(A}_{i+1}={\left(I_{i+1}{g}_2\right)}^{{\mathrm{\α}}_1+1},B_{i+1}=g_1^{{\mathrm{\β}}_{1+1}}{g}_2^{{\mathrm{\γ}}_{i+1}})$ To S_i。

(2) d is made_i=H₁(A_i,B_i,A_i+1,B_i+1), U calculates τ_i=d_i(u_iα_i)+β_iModq, v_i=d_iα_i+γ_iModq, and send (A, B, c, (z', b', a', σ), r₁,VEDL(r₂)) and (A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤i) to S_i+1.It is to say, transfer additional each time is by interpolation (A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤i) information is to currency.

(3) S_i+1Accept currency, and if only if A ≠ 1, e (z', g)=e (b', y)=e (A, a'), $e(\mathrm{\σ},g^{H_0\left(c\right)}y)=e(H(A,B,z^{\′},b^{\′},a^{\′},c),g),$ $g_1^{r_1}{g}_2^{r_2}=A^{d}B,$ VEDL(r₂) it is r₂An encryption that effectively can verify that, and A_j≠ 1, e (z'_j, g)=e (b'_j, y)=e (A_j,a'_j), $e({\mathrm{\σ}}_j,g^{H_0\left(c^{*}\right)}y)=e(H(A_j,B_j,z_j^{\′},b_j^{\′},a_j^{\′},c^{*}),g),$ $g_1^{{\mathrm{\τ}}_j}{g}_2^{v_j}=A_j^d{B}_j(1\≤j\≤i).$

When event ideal occurs, S_nSend VEDL (r₂If) to T. VEDL (r₂) it is effective, T calculating and sending send r₂To S_n.Finally.S_nStorage (A, B, c, (z', b', a', σ), r₁,r₂), (A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤n-1) and (A_n,B_n) as the currency that can cash.

5, payment is cashed: beneficiary S_i(1≤i≤n) sends currency (A, B, c, (z', b', a', σ), r₁,r₂), (A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤n-1) and (α_i,β_i,γ_i) to B.If S_kAnd S_l(k < l) has all cashed payment, and B just can track dual payer S_k。

For S_iThe currency provided, B first checks for the effectiveness of currency.If being verified all, then he search for deposit data base to search whether that A was stored.If be not stored before A, B is just (A, c, d, r₁,r₂), (A_j,c^*,d_j,τ_j,v_j) (1≤j≤i-1) and α_iStorage is in data base, and is attributed to S_iAccount in；Otherwise, B just calls the dual disburser's algorithm of identification.

6, identify that dual disburser: B can detect dual memory or dual payment by the following method:

(1) two different five-tuple (A, c, d, r are utilized₁,r₂) and (A, c, d', r₁',r₂'), B can calculate u₀=(r₁-r₁')/(r₂-r₂') modq follow the trail of dual disburser U.In this case, B also is understood that U first time extracts currency.

(2) two different five-tuple (A are utilized_j,c^*,d_j,τ_j,v_j) and (A_j,c^*,d'_j,τ'_j,v'_j), B can calculate u_j=(τ_j-τ'_j)/(v_j-v'_j) modq follow the trail of dual disburser S_j。

(3) making l < n-1 is maximum index, all A_j(1≤j≤l) has stored in data base.Utilize two different five-tuple (A_l,c^*,d_l,τ_l,v_l) and (A_k,c^*,d_k,τ_k,v_k), B can verify misdeed in the following manner:

If k < l, B can be inferred that S_k+1Attempting the payment that twice storage is identical, therefore he will refuse S_k+1Request；

If k > l, B can be inferred that S_l+1It is a dual disburser, because in this case, it is meant that same payment is both by S_l+1Cash, transferred the possession of by it again.Utilize A_l+1And a_l+1Information, B can calculate S_l+1Accounts information:

For a person skilled in the art, can technical scheme as described above and design, make other various corresponding changes and deformation, and all these change and deformation all should belong within the protection domain of the claims in the present invention.

Claims (2)

1. possess a conditional electronic payment system for transferability, there is payment platform, bank, a requestee, described payer account, and at least one payee S_i, it is characterised in that comprise the following steps:

(1) generation is paid, wherein, when described requestee wishes to extract a currency to described bank, described requestee need prove the proprietary rights of described payer account, and consulting a public information c, by extracting agreement between both sides, final described requestee obtains the currency that bank cashes；

1.1B generates a random number r ∈_RΖ_q, and send z=(Ig₂)^rx, b=(Ig₂)^r, and a=y^rTo U；

1.2U checks e (z, g)=e (b, y)=e (Ig₂, a) whether set up；If equation is false, it will termination protocol；If setting up, U generates a series of random number α, λ, x₁,x₂,μ∈_RΖ_q, calculate A=(Ig simultaneously₂)^α, z'=z^αλ, b'=b^αλ, a'=a^λ,WithThen it sendsTo B；

1.3B feeds back to UThen U calculatesIfThen (A, B, c, (z', b', a', σ)) is exactly the U effective money knowing expression；

(2) conditional jump, wherein, when described requestee wishes to pay for his currency to described payee；Three randoms number generated by payee between both sides and Given information, carried out computing and Bilinear map checking, be verified rear payee and namely accept the currency that requestee sends；When U wishes to pay for his currency (A, B, c, (z', b', a', σ)) to S₁, following agreement will be performed:

2.1S₁Generate three random number α₁,β₁,γ₁∈_RΖ_q, then sendTo U；

2.2 make d=H₁(A,B,A₁,B₁), U calculates r₁=d (μ₀α)+x₁Modq, r₂=d α+x₂Modq, then sendsTo S₁；

2.3S₁Accepting currency, and if only if: A ≠ 1, e (z', g)=e (b', y)=e (A, a'),And VEDL (r₂) it is r₂An encryption that effectively can verify that；

(3) user's registration, a S_iAnd the interaction protocol between described bank；Wherein, described bank generates a restricted Partial Blind Signature to a concrete information, and this agreement is essentially identical with step (1) agreement, and the real value according to specifically electronic money is 0, finally, and S_iObtain the representative as him of the effective certificate coin；Wherein: B generates a restricted Partial Blind Signature to a concrete informationIt is almost the same that this agreement generates agreement with payment；Only difference is that common information is c^*Rather than c, say, that the real value of electronic money is 0；Finally, S_iObtain an effective certificate coin (A_i,B_i,c^*,(z′_i,b′_i,a′_i,σ_i)) as his representative；

(4) additional transfer, works as S_iWish that one currency of transfer is to S_i+1(1≤i≤n-1), passes through S between both sides_i+1Three randoms number generated and Given information, carry out certain computing and Bilinear map checking, be verified rear S_i+1Namely S is accepted_iThe currency of transfer；

4.1S_i+1Generate three random number α_i+1, β_i+1, γ_i+1∈_RΖ_qAnd sendTo S_i；

4.2 make d_i=H₁(A_i,B_i,A_i+1,B_i+1), U calculates τ_i=d_i(u_iα_i)+β_iModq, v_i=d_iα_i+γ_iModq, and send(A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤i) to S_i+1；It is to say, transfer additional each time is by interpolation (A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤i) information is to currency；

4.3S_i+1Accept currency, and if only if A ≠ 1, e (z', g)=e (b', y)=e (A, a'),VEDL(r₂) it is r₂An encryption that effectively can verify that, and A_j≠ 1, e (z'_j, g)=e (b'_j, y)=e (A_j,a'_j),

(5) cashing payment, beneficiary according to step (4) result sends currency to described bank；Wherein: beneficiary S_i(1≤i≤n) sends currency (A, B, c, (z', b', a', σ), r₁,r₂), (A_j,B_j,c^*,(z'_j,b'_j,a'_j,σ_j),τ_j,v_j) (1≤j≤n-1) and (α_i,β_i,γ_i) to B；If S_kAnd S_l(k < l) has all cashed payment, and B just can track dual payer S_k；

For S_iThe currency provided, B first checks for the effectiveness of currency, is verified if all, and then he search for deposit data base to search whether that A was stored；If be not stored before A, B is just (A, c, d, r₁,r₂), (A_j,c^*,d_j,τ_j,v_j) (1≤j≤i-1) and α_iStorage is in data base, and is attributed to S_iAccount in；Otherwise, B just calls the dual disburser's algorithm of identification；

(6)=and identifying dual disburser, dual memory or dual payment detect in described bank；

6.1 utilize two different five-tuple (A, c, d, r₁,r₂) and (A, c, d', r'₁,r′₂), B can calculate u₀=(r₁-r'₁)/(r₂-r′₂) modq follow the trail of dual disburser U, in this case, B also is understood that U first time extracts currency；

6.2 utilize two different five-tuple (A_j,c^*,d_j,τ_j,v_j) and (A_j,c^*,d'_j,τ'_j,v'_j), B can calculate u_j=(τ_j-τ'_j)/(v_j-v'_j) modq follow the trail of dual disburser S_j；

6.3 to make l < n-1 be maximum index, all A_j(1≤j≤l) has stored in data base, utilizes two different five-tuple (A_l,c^*,d_l,τ_l,v_l) and (A_k,c^*,d_k,τ_k,v_k), B can verify misdeed in the following manner:

If k < l, B can be inferred that S_k+1Attempting the payment that twice storage is identical, therefore he will refuse S_k+1Request；

If k > l, B can be inferred that S_l+1It is a dual disburser, because in this case, it is meant that same payment is both by S_l+1Cash, transferred the possession of by it again, utilize A_l+1And a_l+1Information, B can calculate S_l+1Accounts information:

2. payment system according to claim 1, it is characterised in that the public information consulted in described step (3) is c^*。